Sunday, September 27, 2009

Leaky Social Networks

According to a recent study by Worcester Polytechnic Institute researcher Craig E. Wills and AT&T Labs' Balachander Krishnamurthy. A "leakage," by the study's definition, is the opportunity for a third party to link the information they get from the social networks (either in the form of logs or browser cookies) to someone's PII—your name, phone number, and dog's favorite treat aren't passed on directly, but can easily be pieced together.

How is that possible? Not through your name, but through your profile's unique identifier, which is apparently included in the data given advertisers from most social networks. "We found that when social networking sites pass information to tracking sites about your activities, they often include this unique identifier. So now a tracking site not only has a profile of your Web browsing activities, it can link that profile to the personal information you post on the social networking site," Wills said. "Now your browsing profile is not just of somebody, it is of you."

As weve discussed in previous class personally identifiable information is a very broad term. Previous studies have shown that the combination of "anonymous" data can be combined to identify unique individuals. For example, MIT's Latanya Sweeney found that 87% of US citizens can uniquely identified by a combination of their birth date, gender, and zip code.

In this case though, the data leaked is not as abstract and leads an interested party directly to your profile.

2 comments:

I wasn't entirely sure where to post this, but I guess this article at least relates to passwords.

http://www.newsweek.com/id/217014

Anyways, there was an article this week in Newsweeks that discuss the current problems and misconceptions regarding passwords, and some possible future solutions for securing our data. We've all been told to vary our passwords, to include numbers and symbols, and to never write down or email our passwords to ourselves, but at one point or another we all break these rules simply because passwords are inconvenient. The lack of security provided by passwords is evident--everyday on facebook it seems like one of my friends is posting the same advertisement on all of his or her friend's walls as a result of their account being hacked. Sarah Palin had her personal email hacked into during the campaign by someone who simply used public information to answer her security questions. There are potential replacements to the password, but it is difficult finding the right balance between security and convenience for the user. For example, many people don't want to have to wait for a text message in order to receive a unique pass-number to access their favorite website, but they may be willing to enter their fingerprint into the computer. Furthermore, the article states that biometrics have been a disappointment and voice recognition is not nearly reliable.It seems today that the widespread use of technology should actually help us to create new security measures rather than just causing a greater potential for security breaches. It still seems to me that if image recognition could somehow become used in the mainstream it could solve most of the problems with a password. Most new computers come with cameras. A computer or website could access the camera on the computer when a user logs in. The inconvenience factor certainly exists, for example if one needs someone to access their computer when they were gone. Yet the laughable insecurity of passwords pose such a great threat to the security of individuals, companies, and the government that some new solution needs to be introduced and implemented quickly.

I think this is one of the most important threats to the privacy of individuals online and something I had never considered before this class. The problem is that although most people are aware of the data they place on the internet, they do not necessarily consider the implications. That is, for example, one might think that providing a credit card number on one website and an address on another website will do no harm. However, as the article implies and as we talked about in class, it is becoming increasingly easier to aggregate data, especially on the public realm that is the internet. This is where the danger lies: separate pieces of information may say little about a person but many pieces put together provides more information than most people would want strangers to know. With the ease of data collection, there is more incentive for businesses and cyber criminals to aggregate information about individuals and use it as they wish. Most times, those affected have no idea what is occurring until it is too late. I did not know these identifiers were being placed on social network profile pages and don’t think I like the idea of them.

About Me

In my spare time I am an Adjunct Professor in the Computer Science Department at Georgetown University in Washington, DC. This blog chronicles our class discussion and applies theories of Information Privacy and Security to everyday events.